CASCADE Joint Cyber Sensor Architecture CLASSIFICATION TOP SECRET COMINT REL FVEY CLASSIFICATION erview 36 Project Overview 36 Current Status 36 Proposed Architecture 36 Towards 2015 CLASSIFICATION TOP SECRET COMINT REL FVEY 36 Alignment of passive cyber sensor capabilities and architecture in the SIGINT and ITS missions 36 Goals Common sensor technology and architecture 36 Address scalability issues in sensor deployments 36 Scope 36 Passive sensors and supporting infrastructure are in scope 36 Analytic tools are out of scope 36 Host based capability is out of scope caveat passive messaging is in scope CLASSIFICATION TOP SECRET COMINT REL FVEY Our Sensors SIGINT ITS CLASSIFICATION TOP SECRET COMINT REL FVEY Photonic Monitoring of GC Networks Includes % 96 96 96 Full-Take Packet Capture Signature Based Detection Anomaly Based Discovery Analytic Environment Oversight Compliance Tools ©MBMJE Monitoring in Passive SIGINT 96 Includes 96 Full-Take on specific accesses 96 Signature Based Detection Anomaly Based Discovery Additional Functions are offloaded and exist further downstream Analytic Environment 36 Dataflow Targeting 96 Oversight and Compliance Tools CLASSIFICATION TOP SECRET COMINT REL FVEY EONBLUE lOGbps DELL R610 1U Platform - TS SI Processing - Tracking Discovery INDUCTION Multiple 10Gbps Distributed Processing Cloud - TS SI Processing - Tracking Discovery - PXE Boot Infrastructure THIRD-EYE Multiple 1Gbps Cyber Metadata Processor - UNCLASSIFIED Processing - Metadata Production CLASSIFICATION TOP SECRET COMINT REL FVEY Metadata Special Source 100% INDUCTION coverage of main SS0 sites metadata production THIRD-EYE metadata production at select new sites CRUCIBLE deployments to newly emerging sites pre-SCIF environment survey Increase in link speeds Warranted Collection E0NBLUE sensor deployment - full take collection FORNSAT Recently upgraded to current E0NBLUE code base leveraging GCHQ CH0KEP0INT solution to integrate with environment Virtualized Working on SUNWHEEL SMO CH0KEP0INT system enroute to CASSIOPEIA No SUNWHEEL presence as of yet plans to leverage CH0KEP0INT capability CLASSIFICATION TOP SECRET COMINT REL FVEY 36 Deployment at 3 edge gateway GC departments 36 Dynamic defence is enabled at two of these sites 36 Deployment at the main government backbone 36 Dual lOGbps links 3Gbps loading 36 Data volumes continue to increase due to Internet Access Point aggregation 36 Currently performing full take and storage of all monitored traffic 36 System performance issues overall analyst usability issues CLASSIFICATION TOP SECRET COMINT REL FVEY While both ITS SIGINT currently leverage EONBLUE software o The architectures are not aligned o Configuration differs greatly o Software versions are not standard across programs o The full capability of EONBLUE is not being leveraged equally across programs CLASSIFICATION TOP SECRET COMINT REL FVEY Proposal CASCADE A Way Forward CLASSIFICATION Statement 36 Divergence 36 Sensor architectures have diverged between ITS SIGINT 36 Within each area versions are not standardized Management and Scalability 36 Some configurations will not scale 36 Difficult to manage current sensor environment 36 High cost to grow existing solution people HW SW costs 36 Duplication of Effort 36 Divergence creates duplication of effort 36 Limited resources are not focused on innovation and new challenges CLASSIFICATION TOP SECRET COMINT REL FVEY A Phased Approach CLASSIFICATION jl r Ensure that SIGINT ITS approach to Tracking Metadata Production are aligned Improve Query Performance for FullTake Data Extend Native Messaging Between Business Lines Shared Mission Space Develop Implement strategy to better do Full-Take Ensure Targeting is Unified Single Interconnected Sensor Grid Simplify Version Management Host Network Interoperability CLASSIFICATION TOP SECRET COMINT REL FVEY Tracking and Metadata Ensure EONBLUE is deployed in a standard fashion across all environments Upgrade SCNET to lOGbps Update all SIGINT collection sites to latest code release EONBLUE ' - j Produce Standard Metadata DNS Response Harvesting HTTP Client Server Headers IP-to-IP Flow Summarizations CLASSIFICATION TOP SECRET COMINT REL FVEY Full-Take Strategy CLASSIFICATION Address SCNET Scalability Reconfiguration Design of Storage Solution Improved Enforced data indexing and quering Leverage Third-Eye Architecture Distributed Collection Grid at multiple clients Queries are Federated and Centrally Managed Enables unique data ingest at client department i e Firewall Logs CLASSIFICATION TOP SECRET COMINT REL FVEY CLASSIFICATION 36 Benefits 36 Improve Performance Better data indexing techniques Federated queries across multiple systems 36 Reduced Cost Storage local to client departments 10 000$ - 25 000$ per client Re-use of back-end Storage 36 Enable departmental security officers operators Capability of Third-Eye exceeds what is commercially available 36 Cons 36 Requires network connections to each GC Department 36 Requires footprint within each departments datacenter 36 Complexity of distributed processing CLASSIFICATION TOP SECRET COMINT REL FVEY ÛJ Sensor Interoperability CLASSIFICATION s - r EONBLUE sensors exchange messages to enable more robust selection and filtering J Messages should be automatically exchanged between SIGINT and ITS CTEC The sensor environment will be connected to enable seamless message flows 7 Targeting selectors for Cyber Threats will be unified When updates are made to SIGINT sensors the selectors will be automatically replicated for ITS JAZZFLUTE should support ITS analysts targeting SIGINT systems Simplify Sensor Version Management Rapid deployment of new capability seamless across all programs sites Distributed Induction Across WAN EBSH Sensor has custom CLI like a switch and supports inline binary updates CLASSIFICATION TOP SECRET COMINT REL FVEY I Interoperability enables Synchronization 36 ITS access to data collected by SIGINT sensors 36 Outputs should be common to enable a common analyst platform Sensor environment should be seamlessly integrated 36 Capability remains at cutting-edge 36 Single release for all collection programs in SIGINT all points of presence and across both missions 36 Management is simplified for operators focusing on sensor expansions 36 Standardized OS Versions and Optimizations CLASSIFICATION TOP SECRET COMINT REL FVEY • JiiLSfCrj Unified Sensor Environment Is Kt All Cyber Sensors form a complete eco-system Access point is Mandate Authority Agnostic Sensors are Multi-Modal Defence or Intelligence from any sensor anytime Extend Messaging to Host Based Capabilities IT Security Host Based Agents y CNE implants Cyber Processing and analytic environments converge Two-Tier Environment • Automated GUI rich environment for operators •Command-Line Driven RAW access for Discovery Shared Network Resources for Common Services • Wiki Blog Chat • NIS NTP DNS Messaging etc CLASSIFICATION TOP SECRET COMINT REL FVEY 36 Where do you deploy sensors to maximize detection capabilities for Foreign Intelligence collection and Network Defence 36 Coverage-based deployment considerations - what are the gaps 36 Threat-based deployment considerations - what are the gaps 36 Based on EPRs 36 Threat trends and forecasting reports 36 Adversary TTPs CLASSIFICATION TOP SECRET COMINT REL FVEY Foreign Internet Space Secure Channel Defensive Monitoring FOR N SAT Canadian Internet Space System of Importance Foreign Internet Space Foreign Internet Space Foreign Internet Space Special Source Special Access Warranted Access GAZEBO Access CLASSIFICATION TOP SECRET COMINT REL FVEY Towards 2015 Beyond sensor uni cation CLASSIFICATION 36 Strategic Priorities for CSEC 36 Strengthen Team CSEC and Prepare for Our New Facility 36 Adopt Innovative and Agile Business Solutions Expand Our Access Footprint 36 Improve Analytic Tradecraft 36 Automate Manual Processes 36 Synchronize the Cryptologic Enterprise for Cyber Security Mission 36 Enable Effects for Threat Mitigation CLASSIFICATION TOP SECRET COMINT REL FVEY 36 Expand Our Access Footprint 36 We will increase SPECIAL SOURCE access to include all international gateways accessible from Canada 36 We will deploy a sensor system that creates a protective grid at multiple layers over Government operations in Canada and at all classification levels 36 Improve Analytic Tradecraft 36 We will equip SIGINT and cyber defence analysts with tools for flexible manipulation and customized analysis of large scale data sets 36 We will build analytic tradecraft that understands anticipates and exploits the methodology of threat agents to provide comprehensive cyber- situational awareness based on multiple sources of cryptologic data CLASSIFICATION TOP SECRET COMINT REL FVEY Cyber Sensor in 2015 CLASSIFICATION Synchronize the Cryptologic Enterprise for the Cyber Security Mission We will improve how we anticipate identify track and mitigate cyber threats on government systems through new concepts of joint operations We will design and develop joint SIGINT-ITS systems including common data repositories joint tasking and analytic systems We will increase operational capacity by ensuring SIGINT ITS and cryptologic partner sensors interoperate seamlessly We will synchronize and use ITS and SIGINT capabilities and complementary analyses to thwart cyber threats Enable Effects for Threat Mitigation %% We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates We will build the technical infrastructure policy architecture and tradecraft necessary to conduct Effects operations We will further integrate ITS and SIGINT authorities and operations to leverage common sensors systems and capabilities necessary for active and expanded dynamic cyber defence measures CLASSIFICATION TOP SECRET COMINT REL FVEY CLASSIFICATION The Network Is The Sensor Principles Security needs to be transparent to the user in order to be effective Security is a right for all Canadians • • • • Federal Government Municipal Provincial Gov Critical Infrastructure Industry The Citizen End-Users should incur little cost for security IT Assets should be distributed Access is mandate authority agnostic Goals Detect threats as they enter our national networks not at the Gateway Identify Exflltration Command and Control anywhere in our national networks The network is your defence for all infrastructure Rationale We can't keep pace with our adversary CLASSIFICATION TOP SECRET COMINT REL FVEY 36 Security is Transparent 36 If security inhibits functionality or interferes with user experience it will be bypassed 36 Security is a right Attempting to protect everybody with end-node gateway defenses is not feasible 36 IT Assets should be distributed 36 We run an open market network providers will compete to provide access 36 Consolidated gateways creates single points of failure 36 Cost Redundancy considerations CLASSIFICATION TOP SECRET COMINT REL FVEY 36 Detection before attack hits target 36 If we wish to enable defence we must have intelligence to know when attacks enter our national infrastructure 36 Identify Exfiltration Command and Control 36 Some attacks will slip through or can't be seen i e shaping 36 Exploit our temporal advantage - aggressively pursue these implants as they will communicate 'home' for instruction 36 The Network IS your Defence 36 In some cases in cooperation with our partners we can affect change at the CORE of the Internet on detection Modify traffic routes Silently discard malicious traffic hygiene filtering Insert payload to disrupt adversaries CLASSIFICATION TOP SECRET COMINT REL FVEY Keeping pace with the Adversary From the time a malicious PDF is opened till SEEDSPHERE has interactive control of a workstation is 3 minutes There are countless malicious actors state crime generic malware Gateway End-Node Defence by itself is insufficient It is only one part of the problem Over 600 000 Apps in the iTunes Appstore How do you secure that Defence in Depth includes network monitoring and network interaction Build better Defence Our current MO is to resolve one incident at a time Automate the defence through a robust network capable of not only detection but manipulation of malicious traffic CLASSIFICATION TOP SECRET COMINT REL FVEY CLASSIFICATION 36 EONBLUE will be integrated into the Network 36 Monitoring Government of Canada 36 Monitoring Core Infrastructure Special Source extending the reach to view national infrastructure 36 Monitoring foreign Internet Space 36 EONBLUE will enable defensive operations 36 Through robust communication with host-based capabilities 36 Through direct manipulation of network communications 36 Through interaction with Teleco infrastructure to affect change CLASSIFICATION TOP SECRET COMINT REL FVEY Food for Thought Changing the way we think CLASSIFICATION Changing the way we think Tipping and Cueing If the purpose is to enable defence of national infrastructure it becomes unnecessary in a 5-eyes context We have full visibility of our national infrastructure The chance of 'beating' the internet for latency of an attack is minimal The network will perform the filtering What if instead T C enables intelligence collection Cyber Session Collection Targeting and Tasking We all share common targets and we will all target using our national capability the cyber threats we know about No need for 2 party tasking targeting requests Instead expose cyber information across the community What if instead we focus on analytic collaboration and knowledge transfer nd TEXPRO information federated repositories malware traffic etc CLASSIFICATION TOP SECRET COMINT REL FVEY CLASSIFICATION Changing the way we think Foreign SIGINT Intercept Becomes the 'hunting ground' for discovery of new threats Enables attribution and counter-intelligence reporting Defence is taken care of by The Network' Mobile Platforms are the next frontier what is their implication on Cyber Domestic Defence We will exhaust the treasury deploying network appliances to perform dynamic defence The same capabilities will be integrated into the CORE of the Internet %% Defence in Depth through complimentary capabilities on endnodes at the gateway and in the core of the Internet CLASSIFICATION TOP SECRET COMINT REL FVEY CASCADE The harmonization of ITS SIGINT Sensor capabilities Lays the foundation for long-term integration of Cyber within the Cryptologie Enterprise Towards 2015 The Network is the Sensor Defence Mitigation Intelligence all formed from a single comprehensive network creating a perimeter around Canada Extending our reach through 5-eyes partnerships to ensure mutual defence of national assets CLASSIFICATION TOP SECRET COMINT REL FVEY CASCADE Joint Cyber Sensor Architecture CLASSIFICATION TOP SECRET COMINT REL FVEY Project Overview Current Status Proposed Architecture Towards 2015 CLASSIFICATION TOP SECRET COMINT REL FVEY Project Overview Alignment of passive cyber sensor capabilities and architecture in the S1GINT and ITS missions Goals Common sensor technology and architecture 3€ Address scalability issues in sensor deployments Scope Passive sensors and supporting infrastructure are in scope Analytic tools are out of scope Host based capability is out of scope caveat passive messaging is in scope CLASSIFICATION TOP SECRET COMINT REL FVEY What is the project about Define the goal of this project Is it similar to projects in the past or is it a new effort Define the scope of this project Is it an independent project or is it related to other projects Note that this slide is not necessary for weekly status meetings 3 CLASSIFICATION I OP SECRET COMINT REL FVEY 'J f PIh©tem c Prism 3S Monitoring of GC Networks Our Sensors SIGINT ITS Includes M % I'ull-Take Packet Capture Signature Based Detection Anomaly Based Discovery Analytic Environment Oversight Compliance Tools IEON1LUE Monitoring in Passive S I G I N T Includes l ull- l ake on specific accesses Signature Based Detection Anomaly Based Discovery Additional Functions are offloaded and exist further downstream Analytic Environment Dataflow Targeting Oversight and Compliance Tools CLASSIFICATION TOP SECRET COMINT REL FVEY • Shades of Blue LASSIFICATION EONBLUE 10Qbps DELL R610 1U Platform - TS SI Processing - Tracking Discovery Jontent detadata INDUCTION Multiple 10Gbps Distributed Processing Cloud - TS SI Processing - Tracking Discovery - PXE Boot Infrastructure THIRD-EYE Multiple 1Gbps Cyber Metadata Processor • UNCLASSIFIED Processing a Production CLASSIFICATION I OP SECRET COMINT REL FVEY Metadata Special Source 36 100% INDUCTION coverage of main SSO sites metadata production 36 THIRD-EYE metadata production at select new sites 38 CRUCIBLE deployments to newly emerging sites pre-SCIF environment survey Increase in link speeds Warranted Collection EONBLUE sensor deployment - full take collection X FORNSAT 38 Recently upgraded to current EONBLUE code base leveraging GCHQ CHOKEPOINT solution to integrate with environment Virtualized X Working on SUNWHEEL SMO 3« CHOKEPOINT system enroute to CASSIOPEIA 36 No SUNWHEEL presence as of yet plans to leverage CHOKEPOINT capability CLASSIFICATION TOP SECRET COMINT REL FVEY If any of these issues caused a schedule delay or need to be discussed further include details in next slide I Deployment at 3 edge gateway GC departments Dynamic defence is enabled at two of these sites S Deployment at the main government backbone 3£ Dual lOGbps links 3Gbps loading Data volumes continue to increase due to Internet Access Point aggregation Currently performing full take and storage of all monitored traffic System performance issues overall analyst usability issues CLASSIFICATION TOP SECRET COMINT REL FVEY While both ITS SIGINT currently leverage EONBLUE software The architectures are not aligned Configuration differs greatly Software versions are not standard across programs The full capability of EONBLUE is not being leveraged equally across programs CLASSIFICATION TOP SECRET COMINT REL FVEY Proposal CASCADE A Way Forward Problem Statement Divergence 36 Sensor architectures have diverged between ITS SIGINT 36 Within each area versions are not standardized w 36 Management and Scalability 36 Some configurations will not scale 36 Difficult to manage current sensor environment 36 High cost to grow existing solution people H W S W costs Duplication of Effort Divergence creates duplication of effort 36 Limited resources are not focuscd on innovation and new challenges CLASSIFICATION TOP SECRET COMINT REL FVEY Duplicate this slide as necessary if there is more than one issue This and related slides can be moved to the appendix or hidden if necessary 10 Address performance ' stability issues with SCNET 1 Improve Query • Performance for Full• Take Data Extend Native Messaging Between Business Lines Ensure that SIC INT ITS approach to Tracking Metadata Production arc aligned II Develop Implement to better do 0 strategy Full-Take P Ensure Targeting is Unified mjH Simplify Version Management CLASSIFICATION TOP SECRET COMINT REL FVEY Shared Mission Space IKJHf Single Interconnected Sensor Grid Host Network Interoperability LASSIFICATION • Tracking and Metadata Ensure EON BLUE is deployed in a standard fashion across all environments Upgrade SCNET to lOGbps Update all SIGINT collection EONBLUE sites to latest code release Produce Standard Metadata DNS Response Harvesting HTTP Client Server Headers IP-to-IP Flow Summarizations CLASSIFICATION TOP SECRET COMINT REL FVEY Full-Take Strategy Address SCNET Scalability Reconfiguration Design of Storage Solution Improved Enforced data indexing and quering o Leverage Third-Eye Architecture Distributed Collection Grid at multiple clients Queries are Federated and Centrally Managed Enables unique data ingest at client department i e Firewall Logs CLASSIFICATION IOP SECRET COMINT REL FVEY Benefits 36 Improve Performance Better data indexing techniques Federated queries across multiple systems 36 Reduced Cost Storage local to client departments 10 000$ - 25 000$ per client Re-use of back-end Storage 36 Enable departmental security officers operators Capability of Third-Eye exceeds what is commercially available 36 Cons 36 Requires network connections to each G C Department 36 Requires footprint within each departments datacenter 36 Complexity of distributed processing CLASSIFICATION TOP SECRET COMINT REL FVEY • LASSIFICATION Sensor Interoperability EON BLUE sensors exchange messages to enable more robust selection and filtering Messages should be automatically exchanged between S I G I N T and 1 T S C T E C The sensor environment will be connected to enable seamless message flows Targeting selectors for Cyber Threats will be unified W h e n updates are made to S I G I N T sensors the selectors will be automatically replicated for ITS J A Z Z F L U T E should support ITS analysts targeting S I G I N T systems J IJr7 Simplify Sensor Version Management Rapid deployment of new capability seamless across all programs sites Distributed Induction Across W A N EBSH Sensor has custom CLI like a switch and supports inline binary updates CLASSIFICATION TOP SECRET COMINT REL FVEY Interoperability enables Synchronization ITS access to data collected by S1GINT sensors 36 Outputs should be common to enable a common analyst platform 36 Sensor environment should be seamlessly integrated 36 Capability remains at cutting-edge 36 Single release for all collection programs in SIGINT all points of presence and across both missions 36 Management is simplified for operators focusing on sensor expansions 36 Standardized OS Versions and Optimizations CLASSIFICATION TOP SECRET COMINT REL FVEY • LASSIFICATION Unified Sensor Environment All Cyber Sensors form a complete eco-system Access point is Mandate Authority Agnostic Sensors are Multi-Modal Defence or Intelligence from any sensor anytime F 4 Extend Messaging to Host Based Capabilities IT Security Host Based Agents ONE implants Cyber Processing and analytic environments converge Two-Tier E n v i r o n m e n t •Automated GUIrichenvironment for operators •Command-Line Driven RAW access for Discover ' Shared N e t w o r k Resources for C o m m o n Services •Wikl Blog Chal • N1S NIT DNS Messaging rtc CLASSIFICATION TOP SECRET COMINT REL FVEY • LASSIFICATION Synchronized Deployment Strategy Where do you deploy sensors to maximize detection capabilities for Foreign Intelligence collection and Network Defence Coverage-based deployment considerations - what are the gaps 36 Threat-based deployment considerations - what are the gaps 36 Based on EPRs 36 Threat trends and forecasting reports 36 Adversary TTPs CLASSIFICATION TOP SECRET COMINT REL FVEY • LASSIFICATION Canadian Cyber Sensor Grid y GC Dept X CÜ IÜBx í GCD T Foreign Internet Space Secure Channel s- GC Dept Defensive M o n i t o r i n g FORNSAT Canadian Internet Space System of Importance Foreign Internet Space ifiä Foreign internet Space Foreign Internet Space Special Source Special Access Warranted Access GAZEBO Access CLASSIFICATION TOP SECRET COMTNT REL FVEY Towards 2015 Beyond sensor uni cation w Strategic Priorities for CSEC M Strengthen Team CSEC and Prepare for Our New Facility Adopt Innovative and Agile Business Solutions 3€ Expand Our Access Footprint Improve Analytic Tradecraft Automate Manual Processes Synchronize the Cryptologic Enterprise for Cyber Security Mission Enable Effects for Threat Mitigation m CLASSIFICATION TOP SECRET COMINT REL FVEY Cyber Sensor in 2015 Expand Our Access Footprint We will increase SPECIAL SOURCE access to include all international gateways accessible from Canada We will deploy a sensor system that creates a protective grid at multiple layers over Government operations in Canada and at all classification levels Improve Analytic Tradecraft We will equip SIGINT and cyber defence analysts with tools for flexible manipulation and customized analysis of large scale data sets We will build analytic tradecraft that understands anticipates and exploits the methodology of threat agents to provide comprehensive cyber- situational awareness based on multiple sources of cryptologic data CLASSIFICATION TOP SECRET COMINT REL FVEY Cyber Sensor in 2015 Synchronize the Cryptologic Enterprise for the Cyber Security Mission We will improve how we anticipate identify track and mitigate cyber threats on government systems through new concepts of joint operations We will design and develop joint S1GINT-1TS systems including common data repositories joint tasking and analytic systems We will increase operational capacity by ensuring SIGINT ITS and cryptologic partner sensors interoperate seamlessly 3$ We will synchronize and use I TS and SIGINT capabilities and complementary analyses to thwart cyber threats Enable Effects for Threat Mitigation M We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates We will build the technical infrastructure policy architecture and tradecraft necessary to conduct Effects operations We will further integrate ITS and SIGINT authorities and operations to leverage common sensors systems and capabilities necessary for active and expanded dynamic cyber defence measures CLASSIFICATION TOP SECRET COMINT REL FVEY W The Network Is The Sensor J Principles Security needs to be transparent to the user in order to be effective End-Users should incur little cost for security IT Assets should be distributed Access is mandate authority agnostic Goals Detect threats as they enter our national networks not at the Gateway Identify Exfiltration Command and Control anywhere in our national networks The network is your defence for all infrastructure Rationale We can't keep pace with our adversary Gateway Device EndNode protection is not sufficient essential yes CLASSIFICATION TOP SECRET COMINT REL FVEY Rather than plugging one hole at a time build belter layered defence w Principles Explained Security is Transparent If security inhibits functionality or interferes with user experience it will be bypassed Security is a right 36 Attempting to protect everybody with end-node gateway defenses is not feasible 36 IT Assets should be distributed 36 We run an open market network providers will compete to provide access 36 Consolidated gateways creates single points of failure 36 Cost Redundancy considerations CLASSIFICATION TOP SECRET COM1NT REL FVEY i 36 Detection before attack hits target 36 If we wish to enable defence we must have intelligence to k n o w when attacks enter our national infrastructure 36 Identify Exfiltration Command and Control 36 Some attacks will slip through or can't be seen i e shaping 36 Exploit our temporal advantage - aggressively pursue these implants as they will c o m m u n i c a t e ' h o m e ' for instruction 36 The Network IS your Defence 36 In some cases in cooperation with our partners we can affect change at the C O R E of the Internet on detection Modify traffic routes Silently discard malicious traffic hygiene filtering Insert payload to disrupt adversaries CLASSIFICATION I'OP SECRET COMINT REL FVEY Keeping pace with the Adversary From the time a malicious PDF is opened till SEEDSPHERE has interactive control of a workstation is 3 minutes There are countless malicious actors state crime generic malware 36 Gateway End-Node Defence by itself is insufficient 3® It is only one part of the problem Over 600 000 Apps in the iTunes Appstore How do you secure that Defence in Depth includes network monitoring and network interaction 36 Build better Defence Our current MO is to resolve one incident at a time Automate the defence through a robust network capable of not only detection but manipulation of malicious traffic CLASSIFICATION TOP SECRET COMINT REL FVEY • LASSIFICATION What does it Mean EONBLUE will be integrated into the Network 36 Monitoring Government of Canada Monitoring Core Infrastructure Special Source extending the reach to view national infrastructure 36 Monitoring foreign Internet Space E O N B L U E will enable defensive operations 36 Through robust communication with host-based capabilities 36 Through direct manipulation of network communications 36 Through interaction with Teleco infrastructure to affect change CLASSIFICATION TOP SI C RI I O M I N I RM I VI Y Food for Thought Changing the way we think Changing the way we think LASSIFICATIOlI N Tipping and Cueing If the purpose is to enable defence of national infrastructure it becomes unnecessary in a 5-eyes context We have full visibility of our national infrastructure The chance of'beating' the internet for latcncy of an attack is minimal The network will perform the filtering What if instead T C enables intelligence collection Cyber Session Collection Targeting and Tasking We all share common targets and we will all target using our national capability the cyber threats we know about No need for 2 parly tasking targeting requests Instead expose cyber information across he community M What if instead we focus on analytic collaboration and knowledge transfer TEXPRO information federated repositories malware traffic etc nJ CLASSIFICATION TOP SECRET COMINT REL FVEY Changing the way we think Foreign S1GINT Intercept Becomes the 'hunting ground' for discovery of new threats Enables attribution and counter-intelligence reporting Defence is taken care of by 'The Network' Mobile Platforms are the next frontier what is their implication on Cyber Domestic Defence We will exhaust the treasury deploying network appliances to perform dynamic defence 3€ The same capabilities will be integrated into the CORE of the Internet Defence in Depth through complimentary capabilities on endnodes at the gateway and in the core of the Internet CLASSIFICATION TOP SECRET COMINT REL FVEY CASCADE The harmonization oflTS SIGINT Sensor capabilities Lays the foundation for long-term integration of Cyber within the Cryptologie Enterprise Towards 2015 T h e Network is the Sensor Defence Mitigation Intelligence all formed from a single comprehensive network creating a perimeter around Canada Extending our reach through 5-eyes partnerships to ensure mutual defence of national assets CLASSIFICATION l OP SECRET COMINT REL FVEY